Number of concurent connections

Hi guys,

I’ve just joined this thing as a contributor yesterday. So far so good. I have a server running on my firewall (Sophos UTM). It was running on my Synology device at first but there was no reason to route the traffic inside my network since firewall can do it all.
Following the instructions found on i was expecting lower network impact than it really is. It’s not the traffic volume that looks strange but number of concurrent connections - currently it’s at 32.000 which is a limit determined by my firewall license. It’s usually between 20.000 and 30.000 with NTP service running (prior to running NTP server it was always under 1000). I don’t have an issue with that since everything seems to be running fine (it’s a N3700 machine with 8 GB of ram) - but just wondering if that’s normal? On the settings page I’ve set my upload speed to 10 mbps as that really is my upload speed (ftth 100/10).
So, my question is - is this due to a shortage of NTP servers here in ireland or something isn’t right?


Hi, thank you for contributing!

The system in Ireland might be a bit underserved, yes.

For NTP keeping sessions really doesn’t make sense. Can you make the NTP firewall rules stateless? How many queries are you getting per second?

The “10 mbps” is really just a weight relative to the other IPs added to the system, so if you set it to less you should get less queries.

Thanks for your response. Not sure about number of NTP queries, but it’s around 70 million UDP packets per day (maybe more since i can see the load is getting bigger). It’s not a real issue as everything seems to be working fine, i was just confused with the number.
I won’t change anything these days because i will be setting up Stratum 1 server shortly. So here’s another question - should i just leave it running as a part of the pool or is there something else that would be better (not sure because it’s stratum 1)? That server would replace the one i have running currently.

Basically if the monitoring system says the server is okay, then the contribution is appreciated! If the monitoring system is unhappy, then post here if it seems like it should have been happy. :slight_smile:

If the stratum 1 is on the same network, then having just the stratum 1 might make more sense.

Had to put my NTP server offline temporarily… Something is terribly wrong here in Ireland. My firewall was acting strange and i couldn’t tell why. Made factory reset and in a 15 minutes or so i had 120.000 NTP requests. Multiple hosts with more than 100 requests (30 hosts roughly, all from Ireland). One of them ( is currently at 760 requests within this time period. It’s ridiculous…

And another update…
I’ve NAT-ed all the traffic to non-existing IP address and now my firewall feels a bit better. Also, i’ve turned on the logging for that particular NAT rule.
Result: 11.244 requests in 90 seconds. Did a brief check of 15-20 IPs and only found one or two entries for each. The only exception is the one I’ve mentioned in my previous post ( with a total of 71 requests in those 90 seconds.
Number of requests has actually decreased since i’ve taken my NTP server offline. “Live” number of requests was beyond ridiculous. I don’t plan to get my server back online if that’s the usual load since i have to disable FW logging completely and i need those logs for other things too. Any thoughts? I can provide the FW log for these 90 seconds if necessary. Thanks

I don’t know about traffic levels for the Ireland pool specifically, but…

133 requests per second is pretty light.

It adds up to a lot of “connections” in a stateful firewall, but it’s a low amount of traffic.

Yeah. A portion of clients behave pretty terribly. :slightly_frowning_face:

Some of them will be a large number of computers behind a single NAT IP address.

But some of them aren’t.

1 request every 9 seconds isn’t that bad. I mean, it’s bad, but it could be a lot worse.

Does your firewall support disabling logging for only UDP port 123?

I think i can handle the logging issue (turn it off for that particular service/port).
Since server was freshly removed from the pool I’m still getting a lot of requests. What surprises me is the origin of those requests.

What’s the point of devices from China, USA or middle east querying NTP server in Ireland?